看流星社区

 找回密码
 注册账号
查看: 2218|回复: 0

逆WIN7X64内核调试体系之NtDebugActiveProcess

[复制链接]

该用户从未签到

发表于 2017-6-3 11:03:47 | 显示全部楼层 |阅读模式
<iframe id="cproIframe_u1579640_1" width="120" height="600" src="http://pos.baidu.com/acom?adn=4&amp;amp;at=231&amp;amp;aurl=&amp;amp;cad=1&amp;amp;ccd=24&amp;amp;cec=GBK&amp;amp;cfv=18&amp;amp;ch=0&amp;amp;col=zh-CN&amp;amp;conBW=0&amp;amp;conOP=1&amp;amp;cpa=1&amp;amp;dai=1&amp;amp;dis=0&amp;amp;ltr=http%3A%2F%2Fwww.mengwuji.net%2Fforum.php&amp;amp;ltu=http%3A%2F%2Fwww.mengwuji.net%2Fthread-2544-1-1.html&amp;amp;lu_161=6&amp;amp;lunum=6&amp;amp;n=81082150_cpr&amp;amp;pcs=1333x595&amp;amp;pis=10000x10000&amp;amp;ps=429x1292&amp;amp;psr=1366x768&amp;amp;pss=1333x598&amp;amp;qn=3375be914d279bdd&amp;amp;rad=&amp;amp;rsi0=120&amp;amp;rsi1=600&amp;amp;rsi5=4&amp;amp;rss0=%23FFFFFF&amp;amp;rss1=%23FFFFFF&amp;amp;rss2=%230000ff&amp;amp;rss3=%23444444&amp;amp;rss4=%23008000&amp;amp;rss5=&amp;amp;rss6=%23e10900&amp;amp;rss7=&amp;amp;scale=&amp;amp;skin=tabcloud_skin_3&amp;amp;stid=5&amp;amp;td_id=1579640&amp;amp;titFF=%E5%AE%8B%E4%BD%93&amp;amp;titFS=12&amp;amp;titTA=left&amp;amp;tn=text_default_120_600&amp;amp;tpr=1443344082884&amp;amp;ts=1&amp;amp;version=2.0&amp;amp;xuanting=0&amp;amp;dtm=BAIDU_DUP2_SETJSONADSLOT&amp;amp;dc=2&amp;amp;di=u1579640&amp;amp;ti=%E9%80%86WIN7X64%E5%86%85%E6%A0%B8%E8%B0%83%E8%AF%95%E4%BD%93%E7%B3%BB%E4%B9%8BNtDebugActiveProcess-%E2%98%85%E5%86%85%E6%A0%B8%E8%A1%A5%E4%B8%81%E2%98%85-%E6%A2%A6%E7%BB%87%E6%9C%AA%E6%9D%A5%20-%20Powered%20by&amp;amp;rs=60011&amp;amp;tt=1443344082851.36.110.115" align="center,center" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" allowtransparency="true" style="word-wrap: break-word;"></iframe>


NTSTATUS __fastcall proxyNtDebugActiveProcess(HANDLE ProcessHandle, HANDLE DebugObjectHandle){
    PMY_OBJECT_TYPE object;
    PMY_OBJECT_TYPE debugobject;
    OBJECT_HANDLE_INFORMATION objecthandleinformation;
    NTSTATUS status;
    PETHREAD LastThread;
    status=ObReferenceObjectByHandle(ProcessHandle, 0x800, PsProcessType, UserMode, &amp;object, &amp;objecthandleinformation);
    if (NT_SUCCESS(status)){
        if (object == PsGetCurrentProcess() || object == PsInitialSystemProcess){


            ObfDereferenceObject(object);
            status = STATUS_INVALID_HANDLE;
        }
   
    }

    status = ObReferenceObjectByHandle(DebugObjectHandle, 0x2, NewDbgObject, UserMode, &amp;debugobject, &amp;objecthandleinformation);

    if (!NT_SUCCESS(status)){
      
        status = STATUS_INVALID_HANDLE;
        ObfDereferenceObject(debugobject);
        ObfDereferenceObject(object);

    }
    else{
        if (ExAcquireRundownProtection((PEX_RUNDOWN_REF*)(object + 376))){


            ((pfnDbgkpPostFakeProcessCreateMessages)DbgkpPostFakeProcessCreateMessages)(object, debugobject, &amp;LastThread);
            ((pfnDbgkpSetProcessDebugObject)DbgkpSetProcessDebugObject)(object, debugobject, status, LastThread);


        }
        else{

            status = STATUS_PROCESS_IS_TERMINATING;

        }
        ExfReleaseRundownProtection((PEX_RUNDOWN_REF*)(object + 376));

   
   
    }
   


    return status;
}

今天先发一个
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 18:16

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表